[OE-core] [RFC][PATCH 1/6] npm.bbclass: refactor the npm class
Jean-Marie LEMETAYER
jean-marie.lemetayer at savoirfairelinux.com
Wed Oct 23 13:17:33 UTC 2019
On Oct 22, 2019, at 1:35 PM, Alexander Kanavin alex.kanavin at gmail.com wrote:
> On Tue, 22 Oct 2019 at 11:12, Jean-Marie LEMETAYER <
> jean-marie.lemetayer at savoirfairelinux.com> wrote:
>
>> The simplest solution is to let npm do its job. Assuming the fetcher
>> only get the sources of the package, the class will now run
>> 'npm install' to create a build directory. The build directory is then
>> copied wisely to the destination.
>>
>
> I agree that npm dependency handing is a mess, and we should indeed let npm
> do the job.
>
> However, 'npm install' pulls various things from the network; this can only
> be happen during do_fetch(), so that offline builds can continue to work.
> Whatever has been downloaded, needs to go to DL_DIR.
You are right, I am working on a v2 to fix this point.
> It also needs to be reproducible (there should be a guarantee that it
> always pulls the same set of sources which are verified through a checksum
> of some kind), I guess that can only be achieved through upstream provided
> shrinkwrap?
Yes, with current npm versions the "npm-shrinkwrap.json" [1] or the
"package-lock.json" [2] are both used to describe the dependency tree and
verify the integrity of the dependencies. This is what makes the build
reproducible. One of these files is mandatory to build the recipe (in the
source files or provided by the NPM_SHRINKWRAP variable).
For information the current 'node' version packed in meta-oe is '10.16.3'
which includes 'npm' version '6.9.0' [3].
1: https://docs.npmjs.com/files/shrinkwrap.json
2: https://docs.npmjs.com/files/package-lock.json
3: https://nodejs.org/en/download/releases/
Regards,
Jean-Marie
More information about the Openembedded-core
mailing list